Passive DNS Exchange

Mission

This group works to define a common output format of Passive DNS Servers which clients can query. Over time, since the initial announcement of Passive DNS replication at the 17^th Annual FIRST Conference on Computer Security by Florian Weimer, multiple Passive DNS Implementations were developed. This standard proposes a common output format to make Passive DNS information more universally useable.

Goals/Deliverables

The initial goal of this SIG was to collaboratively develop a common output format (COF) for Passive DNS data.As a result of this SIG, anInternet Draft was published on September 9^th 2014.

The lastest version can be found on theIETF site. The source code of the standard can be foundon github. Change requests or discussions are welcome on github or on the mailing list.

Code

Apart from definining the standard, farsight and the group added aMISP module calledcof2misp which can import COF into MISP. There, the full power of the MISP correlation engine can be employed to find matching indicators of compromise.Therefore, by importing the COF format into MISP, we can pivot back and forth between passive DNS databases and MISP.

If you want to try out the cof2MISP module and if you are a member of FIRST, thehttps://misp.first.org instance has the cof2MISP module installed, and you can try correlating events.If you need to get access to passive DNS DB servers, you can ask:

• CIRCL.lu
• farsight (which is the largest passive DNS database operatore to the best of the author's knowledge)
  • obtaining keys from Farsight Security
• ... or any of the other passive DNS server operators.

Status quo

• the silence procedure for the draft ended by May 19th, 2021. We are now ready to submit to the IETF WG.

Next steps

• bringing it into the standards track.
• specify a query format (client to pDNS server) common format (RESTful API specs)

Authors

• Alexandre Dulaunoy (alexandre.dulaunoy@circl.lu)
• Aaron Kaplan (aaron@lo-res.org)
• Paul Vixie (paul@redbarn.org)

• Initiatives
  • Special Interest Groups (SIGs)
    • SIGs Framework
    • Academic Security SIG
    • AI Security SIG
    • Automation SIG
    • Cybersecurity Communications SIG
    • Common Vulnerability Scoring System (CVSS-SIG)
      • Calculator
      • Specification Document
      • User Guide
      • Implementation Guide
      • Examples
      • Frequently Asked Questions
      • CVSS v4.0 Documentation & Resources
        • CVSS v4.0 Calculator
        • CVSS v4.0 Specification Document
        • CVSS v4.0 User Guide
        • CVSS v4.0 Implementation Guide
        • CVSS v4.0 Examples
        • CVSS v4.0 FAQ
      • CVSS v3.1 Archive
        • CVSS v3.1 Calculator
        • CVSS v3.1 Specification Document
        • CVSS v3.1 User Guide
        • CVSS v3.1 Examples
        • CVSS v3.1 Calculator Use & Design
      • CVSS v3.0 Archive
        • CVSS v3.0 Calculator
        • CVSS v3.0 Specification Document
        • CVSS v3.0 User Guide
        • CVSS v3.0 Examples
        • CVSS v3.0 Calculator Use & Design
      • CVSS v2 Archive
        • CVSS v2 Complete Documentation
        • CVSS v2 History
        • CVSS-SIG team
        • SIG Meetings
        • Frequently Asked Questions
        • CVSS Adopters
        • CVSS Links
      • CVSS v1 Archive
        • Introduction to CVSS
        • Frequently Asked Questions
        • Complete CVSS v1 Guide
      • JSON & XML Data Representations
      • CVSS On-Line Training Course
      • Identity & logo usage
    • CSIRT Framework Development SIG
    • Cyber Insurance SIG
      • Cyber Insurance SIG Webinars
    • Cyber Threat Intelligence SIG
      • Curriculum
        • Introduction
        • Introduction to CTI as a General topic
        • Methods and Methodology
        • Priority Intelligence Requirement (PIR)
        • Source Evaluation and Information Reliability
        • Machine and Human Analysis Techniques (and Intelligence Cycle)
        • Threat Modelling
        • Training
        • Standards
        • Glossary
        • Communicating Uncertainties in CTI Reporting
      • Webinars and Online Training
      • Building a CTI program and team
        • Program maturity stages
          • CTI Maturity model - Stage 1
          • CTI Maturity model - Stage 2
          • CTI Maturity model - Stage 3
        • Program Starter Kit
        • Resources and supporting materials
    • Detection Engineering & Threat Hunting SIG
    • Digital Safety SIG
    • DNS Abuse SIG
      • Stakeholder Advice
        • Detection
          • Cache Poisoning
          • Creation of Malicious Subdomains Under Dynamic DNS Providers
          • DGA Domains
          • DNS As a Vector for DoS
          • DNS Beacons - C2 Communication
          • DNS Rebinding
          • DNS Server Compromise
          • DNS Tunneling
          • DoS Against the DNS
          • Domain Name Compromise
          • Dynamic DNS (as obfuscation technique)
          • Fast Flux (as obfuscation technique)
          • Infiltration and exfiltration via the DNS
          • Lame Delegations
          • Local Resolver Hijacking
          • Malicious registration of (effective) second level domains
          • On-path DNS Attack
          • Stub Resolver Hijacking
          • Spoofing of a Registered Domain
          • Spoofing of Unregistered Domains
      • Code of Conduct & Other Policies
      • Examples of DNS Abuse
    • Ethics SIG
      • Ethics for Incident Response Teams
    • Exploit Prediction Scoring System (EPSS)
      • The EPSS Model
      • Data and Statistics
      • User Guide
      • EPSS Research and Presentations
      • Frequently Asked Questions
      • Who is using EPSS?
      • Open-source EPSS Tools
      • API
      • Related Exploit Research
      • Blog
        • Understanding EPSS Probabilities and Percentiles
        • Log4Shell Use Case
        • Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities
      • Data Partners
    • FIRST Multi-Stakeholder Ransomware SIG
    • Human Factors in Security SIG
    • Industrial Control Systems SIG (ICS-SIG)
    • Information Exchange Policy SIG (IEP-SIG)
    • Information Sharing SIG
      • Malware Information Sharing Platform
    • Law Enforcement SIG
    • Malware Analysis SIG
      • Malware Analysis Framework
      • Malware Analysis Tools
    • Metrics SIG
      • Metrics SIG Webinars
    • NETSEC SIG
    • Public Policy SIG
    • PSIRT SIG
    • Red Team SIG
    • Security Lounge SIG
    • Security Operations Center SIG
    • Standards SIG
    • Strategic Thinking and Planning SIG
    • Threat Intel Coalition SIG
      • Membership Requirements and Veto Rules
    • Time SIG
    • Traffic Light Protocol (TLP-SIG)
    • Transportation and Mobility SIG
    • Vulnerability Coordination
      • Multi-Party Vulnerability Coordination and Disclosure
      • Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
    • Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
      • Vulnerability Database Catalog
    • Women of FIRST
  • CCB Initiatives
  • FIRST CORE
    • Sponsorship Opportunities
  • Internet Governance
  • IR Database
  • Fellowship Program
    • Application Form
  • Mentorship Program
  • IR Hall of Fame
    • Hall of Fame Inductees
  • Victim Notification
  • Volunteers at FIRST
    • FIRST Volunteers
  • Member Spotlight
  • Previous Activities
    • Best Practices Contest